During the first half of 2022, Christus Health, a not-for-profit health system, and Christus Spohn Health System Corporation, a part of that system, experienced a cyberattack. The complaint for this class action alleges that the data breach exposed the personally identifiable information (PII) and protected health information (PHI) of more than 700,000 individuals, and that it was due to the maintaining of the information “in a negligent manner.”
The Nationwide Class for this action is all persons whose private information was actually or potentially accessed or acquired during the data breach of which Christus Spohn provided notice beginning on or about July 1, 2022.
The complaint alleges that Christus’s “data security obligations were particularly important given the substantial increase in cyberattacks and/or data breaches in the healthcare industry preceding the date of the breach.”
The complaint quotes a report from the Federal Bureau of Investigation (FBI) as warning that “Entities like smaller municipalities and hospitals are attractive to ransomware criminals … because they often have lesser IT defenses and a high incentive to regain access to their data quickly.”
Christus became aware of the cyberattack on May 4, 2022, the complaint alleges, and eventually determined that the cyberattack had run from April 9 to May 4, during which an unauthorized party had copied and taken information. However, the complaint alleges that Christus did not begin sending notices to the individual victims until July 1.
The two companies operate hospitals and medical centers, and, according to the complaint, the information obtained included names, dates of birth medical record numbers, Social Security numbers, health insurance information, and some limited clinical information.
“Upon information and belief,” the complaint claims, “the mechanism of the Data breach and potential for improper disclosure of [the] Private Information was a known risk to [Christus]; and, thus, [Christus] were on notice that failing to take appropriate protective measures would expose and increase the risk that the Private Information could be compromised and stolen.”
The complaint alleges that the companies also know “the foreseeable consequences that would occur if [Christus’s] data security system was breached, including, specifically, the significant costs that would be imposed on Plaintiff and Class Members as a result of a breach.”
The complaint alleges, “A hacker group known as Avoslocker has claimed credit for the cybersecurity attack, demanded a ransom, and posted a portion of [the information] on the dark web.” According to the complaint, the exposed information “can, and likely will, be sold repeatedly on the dark web” with the victims remaining at risk for the rest of their lives.
Article Type: LawsuitTopic: Privacy
Most Recent Case Event
Christus Health Cyberattack Complaint
December 23, 2022
During the first half of 2022, Christus Health, a not-for-profit health system, and Christus Spohn Health System Corporation, a part of that system, experienced a cyberattack. The complaint for this class action alleges that the data breach exposed the personally identifiable information (PII) and protected health information (PHI) of more than 700,000 individuals, and that it was due to the maintaining of the information “in a negligent manner.”
Christus Health Cyberattack ComplaintCase Event History
Christus Health Cyberattack Complaint
December 23, 2022
During the first half of 2022, Christus Health, a not-for-profit health system, and Christus Spohn Health System Corporation, a part of that system, experienced a cyberattack. The complaint for this class action alleges that the data breach exposed the personally identifiable information (PII) and protected health information (PHI) of more than 700,000 individuals, and that it was due to the maintaining of the information “in a negligent manner.”
Christus Health Cyberattack Complaint